Customers of some phone companies in Germany, including Vodafone and Deutsche Telekom, have had a slightly different browsing experience from those on other providers since early April. Rather than seeing ads through regular third-party tracking cookies stored on devices, they’ve been part of a trial called TrustPid.
TrustPid allows mobile carriers to generate pseudo-anonymous tokens based on a user’s IP address that are administered by a company also named TrustPid. Each user is assigned a different token for each participating website they visit, and these can be used to provide personalized product recommendations—but in what TrustPid calls “a secure and privacy-friendly way.” It’s that “privacy-friendly” part that has raised critics’ hackles.
The internet runs on advertising: Digital ads worth a total of $189 billion were bought and sold last year, according to the Internet Advertising Bureau (IAB). But the ad industry’s dirty little not-so-secret is that it relies on intrusive surveillance of people’s online activities, piecing together their interests based on the websites they visit, what they post, and more.
For Vodafone, the company running the trial in Germany, TrustPid offers an alternative by allowing advertisers to gain value from customer insights while also supposedly keeping those users’ data private. But not everyone agrees. Internet privacy experts have labeled TrustPid a supercookie—a piece of technology that links a crumb of data to a user’s IP address and mobile phone number—and believe the trial should be halted and commercial plans shelved. They are particularly concerned about the way network operators are co-opting what is meant to be a simple passage of communications data, which they have unique access to, to transform it into a targeted advertising platform. Deutsche Telekom did not respond to WIRED’s request for comment. Vodafone says it’s all a misunderstanding.
“Let me stress that the TrustPid service is not a supercookie,” says Simon Poulter, senior manager of corporate communications at Vodafone Group, which is overseeing the German trial. Instead, the telco refers to the technology as being “based on digital tokens which do not include any personally identifiable information.” Each token, says Poulter, has a limited lifespan of 90 days that is specific to individual advertisers and publishers.
William Harmer, product lead at Vodafone, says the project isn’t a supercookie because it doesn’t use data interception to build up customer profiles, unlike the ad tech once used by Verizon Wireless, which in 2016 was fined $1.35 million by the US Federal Communications Commission (FCC) for having injected supercookies into users’ mobile browser requests for two years without consent. A 2015 investigation by digital civil rights nonprofit Access Now found that carriers across 10 different countries used supercookies dating back to 2000. Those negative headlines are why Vodafone pushes back so vehemently against the supercookie designation.
Vodafone claims TrustPid, which has each partner website generate a different token for the same user, reduces the likelihood of user data being triangulated across websites to create extensive profiles of user interests—a major concern for internet users sick of being chased around the web by targeted ads. “The technology has been built following a privacy-first design, and it complies with all GDPR requirements and related legislation,” says Poulter.